Category Archives: Security

8 Challenges of BYOD in SharePoint: an Insider’s Tips

You may also be interested in:


Editor’s Note: Contributor Ben Henderson is Client Services Manager for Colligo. Follow him @ben3003

2013-11-13-BYOD-01.pngWhen you look at the numbers, the challenges of BYOD in SharePoint reach far and wide. 17,000 organizations now run SharePoint as their enterprise CMS and 125 million SharePoint licenses have been sold to date, according to file-sharing company Accellion. Gartner reports 70% of organizations allow users’ personal devices to access network systems and enterprise applications, and an astounding 78% of white-collar employees in the US use their own laptops, smartphones and tablets for work purposes (Cisco Systems).

You do the math. Thousands of IT departments are dealing with the daily challenges of actively monitoring and managing a myriad of mobile devices, yet delivering SharePoint content in a way that is easy and useful so that employees don’t look to less secure alternative solutions.

So what’s the problem? Two words – data breaches. In March 2011, 40 million employee records were stolen from RSA Security; the year before that Gawker Media experienced compromised email addresses and passwords of about 1.3 million commenters on popular blogs Lifehacker, Gizmodo and Jezebel, plus the theft of the source code for Gawker’s custom-built content management system. Although not on the same scale, corporate data breaches are common. According to research firm, Ponemon, about 85% of all US companies have experienced one or more data breaches.

SharePoint Needs Careful Management

SharePoint is capable of handling more than 200 file types out of the box. Imagine the data it can unleash. Without appropriate and consistent policies around access controls and security measures, such as restricted remote access, critical information can be left to twist in the wind.

Administrative mishaps, incorrectly configured services, and broad access rights all create security vulnerabilities. In the wrong hands, consumer-grade devices open an easy way through these vulnerable holes to enterprise data stored on the device and sometimes into the entire enterprise network.

As experts in SharePoint collaboration, we’ve learned first-hand where our customers face the biggest BYOD challenges in SharePoint, and they broadly divide into two categories: security and ease of use. The two go hand-in-hand to satisfy the needs of the organization as a whole and the individual users. Let’s start with security.

1. I’ve Lost my Phone

The number 1 security concern with BYOD connecting to enterprise networks is loss or theft of those devices. Foreground Security, a consulting firm, reports that 47% of employees have no passcode for their mobile phones. Malicious individuals will have access to any enterprise data stored on the device and possibly even to data stored on enterprise servers.

IT departments need to put in place, and enforce, strong password policies for every mobile device. Further, you should also consider creating password access to apps or browser access points into SharePoint, auto-wiping content after a series of unsuccessful tries, and setting up the ability to remotely wipe content from the device.

2. Authentication

On the topic of remotely wiping content, controlling access to SharePoint content on mobile devices is key. To protect sensitive corporate information, enterprises need to implement more fine grained security mechanisms and access control policies within the centralized or cloud-based SharePoint systems. IT departments need to pay attention to authorization policies that know who is accessing information and what type of data they are accessing, as well as what time of day, from what location and over what type of connection.

To achieve this, there needs to be proper site governance of both the content and structure of the SharePoint site. Note that this goes both ways, so that content that is created and changed on mobile devices need to follow the same set of authorization policies as those on the SharePoint site.

The good news is that SharePoint, Microsoft Outlook and Windows file server provide integration with identity providers like Active Directory Federation Services to enforce fine grained policies on what types of information users are permitted to view and access, even to the point of the specific device the user is connecting with.

Also note, for compliance with some of the more rigorous standards like HIPAA and SOX, enterprises need to go beyond access controls and encryption. To comply with these rigorous standards they need to implement logging and auditing to provide a trail of where the content is and has been.

3. Containerization

At the recent Gartner Security and Risk Management Summit, analyst Eric Maiwald commented: “BYOD means my phone, my tablet, my pictures, my music – it’s all about the user.” We could add to that: my confidential documents, my customer lists, my company financials, my bids and my patent information, and we have the full picture.

Separating corporate and personal data can be a thorny problem. One solution is containerization and this topic deserves an article all on its own. For the purpose of this article, we’re just making a note of its advantage. There are many choices for technologies for separating out and managing corporate email, applications and data. Just beware in making your choice, though, you’ll often need to use the vendor’s API and SDK to link customized apps to the container.

4. Jailbroken Devices

It’s no joke when a jail-broken iOS device appears on your corporate network. These devices pose a serious security risk. Worst case scenario is that malware can be introduced to your network through the use of unauthorized apps, and many jailbroken iOS devices also install a secure shell server that remote attackers can exploit.

Many MDM solutions are able to detect jail-broken devices, but don’t rely on your container solution to do this on its own. According to Gartner analyst Eric Maiwald: “If you have a rooted device, a container will not protect you.” You’ll need a multi-layered approach to jail-breaking, starting with educating employees about the risks and implications of jail-breaking their devices.

5. Malicious Apps or Hackers

What if a malicious app or person tries to access corporate documents? It has to be about the security settings you ensure all employees set on their device. For iOS devices, for example, encrypting vital information and user’s SharePoint credentials with hardware encryption and then storing them in the device’s Keychain will protect sensitive data. You’ll also want to pay attention to rogue apps that use the iPad’s screen capture capabilities, detect any modifications made to the .plist files on the iPad and if content is backed up on iTunes.

6. Preventing Information from Being Shared Externally

Employees often need to share documents with customers and partners, and this does create security issues for IT departments. The biggest issue is when employees send a document as an attachment to an email. Once that happens you lose the thread of who is sharing the document with whom, and there is no knowing who the customer then may share it with.

One solution is to offer the option to email documents as links in SharePoint. This adds extra security as the recipient must have the required SharePoint credentials to access the link and you can set authorization policies around the retrieval of said document.

7. User Interface

On the flip side of enterprise-wide security, we have ease of use for the individual. It goes without saying that if users cannot access SharePoint on their mobile devices or if they cannot access SharePoint content the way they would like to with an easy to use interface, they will look to alternate solutions for collaborating with colleagues and customers.

Out of the box, SharePoint 2013 has paid attention to the mobile experience with four browser-based experiences and the HTML-5-based contemporary view option, as well as the ability to design your own view based on your organization’s usability requirements. Your ability to choose the experiences, though, depends on a number of factors, including the devices you have and the type of site you are trying to enable.

There are also a number of third party solutions that cater to a wide range of devices to ensure employees adopt SharePoint for their mobile experience. Just note, that the user experience is tantamount to the success of your deployment and it starts with the user interface.

8. Working with Documents Offline

Field workers, sales professionals, external auditors are just some examples of employees who spend a large portion of their working days away from the office. To work efficiently, they will need offline access to email content stored in SharePoint. You’ll need a solution that allows users to selectively cache their SharePoint content to give them instant access to remain productive on the road or in the field.

There you have it. My hit list of measures you need to consider for successfully deploying a BYOD strategy in SharePoint.

Why Rogue IT is Changing the Way We Do Business


Editor’s note: Follow contributor Mark Fidelman @markfidelman

2013-10-11-ITHorrorStory-01a.jpgA security team at a large non-profit heard there were a bunch of people using Dropbox without authorization and their files had recently been hacked, so they made a call to Dropbox. Without authenticating their identity, Dropbox offered the list of 1600 user names and their email addresses. “The Dropbox guys wanted to get them moved to the enterprise version so much they were willing to share a customer list without even authenticating the folks on the phone!”

It gets worse.

A pharmaceutical company in the middle of a six-week drug test to secure FDA approval suddenly saw a tech savvy groups’ rogue IT missteps corrupt their data, destroying the test and ultimately costing $500 million in lost revenue.

Rogue IT horror stories like these are happening all the time. Whether dealing with super tech savvy employees seeking simple solutions, or tech challenged folks using whatever consumer app is readily available, either employee scenario can be the stuff of IT nightmares.

Are these people just terrible employees? No, they’re part of today’s increasingly mobile workforce, and they need better options when it comes to working on the go. Without consistent, easy to use productivity and collaboration options, most opt to use unsanctioned services like Dropbox or Google Docs, causing financial consequences as well as data loss, unintentional data leaks, reputational damage and full company shutdowns for days or weeks as they scramble to resolve these issues.

And it’s not only businesses that suffer – employees feel Enterprise IT pains as well. Can you imagine being fired for that instant message you just sent? Well, you certainly could be if you’re sharing sensitive customer data (including credit cards and bank routing details) across consumer IM networks, like MSN Messenger, Yahoo and AOL (true story). You didn’t know it was that serious of an offense? Well, THAT is part of the problem.

The disconnect between business users’ and Enterprise IT is multi-faceted. If it continues to grow unchecked, if employees can’t be convinced to “drop-box” and other unsafe services like it for simple to use, safe company-sanctioned alternatives, these problems are just the beginning.

My client is hosting a Rogue IT Horror Story contest that seeks to draw attention to these risks, by highlighting what happens when organizations don’t keep pace with employees’ needs and said employees “go rogue.”

We want to know your story. You will remain anonymous so that we can better understand why it’s happening and how to help IT and employees come to a better solution. Submit yours by this Friday October 18th for the chance to win a free pass to SharePoint Conference 2014 or Samsung Galaxy 4. Again, all submissions are anonymous and will be judged by a panel of mobile enterprise, security and IT experts, including Christian Buckley, Bob Egan, Michael Krigsman, Maribel Lopez, Nicholas McQuire and Benjamin Robbins, together with the IT community.

The best (worst stories) will be announced on All Hallow’s Eve.

HIPAA Compliance and Office 365


Editor’s note: Contributor Mike Fleck is Co-founder of CipherPoint Software, Inc. Follow him @mfleckca

2013-08-27-SharePointSecurityImpact-01.pngHealthcare organizations have to share patient information but they also have to keep that information private. The two requirements are in direct conflict.  Add the Cloud and things get really “interesting!”

Cloudy with a chance of breach

Everyone wants to move to the cloud – especially for file sharing use cases. For larger healthcare organizations the motivation to move to the Cloud is often to consolidate enterprise users to a common platform (as opposed to the scattershot “shadow IT” approach that exists today). Smaller companies often just want to get off servers. Regardless of why HIPAA covered entities are moving the Cloud or how big those entities are, the reality is they have patient privacy and security needs beyond what Office 365 and other platforms provide. When it comes to HIPAA covered entities Microsoft’s Office 365 is better than most (more on that later) but organizations need to approach Cloud adoption with a clear understanding of what your hosting provider can do from a security standpoint and what the end-user organization is responsible for. The scary thing is that users are adopting Cloud file sharing platforms far in advance of the enterprise actually being able to manage risk of a breach of patient information associated with those platforms.

Carry a big stick

When the Obama Administration included patient privacy enforcement in the HITECH Act, many of us in the privacy business noted that HIPAA finally got some “teeth.” The HITECH Act and other related changes resulted in very impactful provisions relative to breaches of patient data including

  • The establishment of fines for losing unsecured electronic patient healthcare information
  • The notion of shared risk for companies that provide services (aka Business Associates) to a HIPAA covered entity.
  • The use of data at rest encryption as a form of safe harbor from the breach notification requirements

The Haves and the Have Nots

In the first paragraph I mentioned that Office 365 is better than most offerings. The reason I say this is because of what’s called a Business Associate Agreement (BAA). A HIPAA Business Associate (BA) is any organization that provides services to a HIPAA covered entity that traffic in patient information. A BAA is an agreement that a Business Associate signs to share risk of a breach of patient information relative to the BA’s services. SaaS and other Cloud providers are clearly delineated into two camps: those that will sign BAAs and those that won’t. Microsoft will sign a BAA. Google, Dropbox and many others will not. This dynamic is wreaking havoc with organizations that have patient information. At best they can get existing providers to sign a BAA. At worst, they have to track down rogue usage of services like Dropbox and threaten employees with serious consequences.

Common Threads

In the past several months we’ve talked to a lot of enterprise security leaders in the healthcare space about their patient privacy needs relative to Office 365. They tell us that they do not want to be in the business of controlling who can collaborate with whom but they do need to get a level of central control over patient privacy. These healthcare providers, payers, and other covered entities need to identify patient information in Office 365, encrypt that information at rest (to get Safe Harbor), and track who accesses it. Microsoft’s willingness to sign a BAA just means that Office 365 is on the short list of options. These healthcare systems and other organizations recognize that they, not Microsoft, are responsible for how the enterprise users consume Office 365.

Don’t rock the boat

The reality is there are collaboration platforms built explicitly for regulated or high security use cases. The problems with these platforms are that they are much more expensive than Office 365 and, maybe more important, users don’t want to adopt them. The right way to approach the problem is to make the platforms like Office 365 secure for patient information.

Securing Office 365 so that you can safely store patient information on the platform translates to encrypting the data, applying access controls, and auditing access to the data. With these three technical security controls in place, you’ll be in good shape to prove to auditors that you’re protecting your ePHI as required by HIPAA security requirements.

Data Encryption in a Post-PRISM Cloud


Editor’s note: Contributor Mike Fleck is Co-founder of CipherPoint Software, Inc. Follow him @mfleckca

2013-08-27-SharePointSecurityImpact-01.pngThe recent exposure of PRISM and the role that Cloud providers played in that program changes how businesses need to think about Cloud data encryption. These conclusions reduce to two bullet points:

  1. Implicitly trusting your Cloud provider is not a wise move when it comes to storing your sensitive and confidential data in the Cloud. Enterprises must maintain strict control of their information even while it resides and is consumed in the Cloud.
  2. Highly sophisticated organizations want your data. Enterprises need to adopt Cloud data encryption technologies that follow encryption and key management best practices.

Maintain Control

The Cloud provides great economies of scale for both the consumer of the Cloud service and the provider. For example, Microsoft, Google, and Amazon can buy more and better security technologies because they can split their cost-basis across a huge customer base.

The security challenge, then, relates to maintaining control of your information. As someone in one of my recent presentations said, “once you put your data in the Cloud it becomes the property of your Cloud provider who allows you the right to access it for a monthly fee.” With non-commodity Cloud offerings, enterprises can put the Cloud provider through months of due diligence and contract negotiations. That approach doesn’t work with offerings like Office 365 and the like. The best way to maintain control of your data is to encrypt it before it hits the Cloud and then maintain physical ownership of both the data encryption keys and the encryption/decryption functions.

Leave Encryption to the Professionals

While the US Government is the focus of attention these days (for obvious reasons) don’t forget that there are other nations trying to peek at your Cloud data. Like any other group of competitive organizations, if one is doing it the others are, too. This means that your organization is likely to face determined attackers with plenty of resources.

Here are some top concerns when it comes to the landscape of Cloud data encryption vendors:

  1. Proprietary Encryption Algorithms are the one thing that you never, ever want to use. If an encryption algorithm hasn’t been created, vetted, and accepted on a global academic and government scale then don’t use it. Period.
  2. Usability at the cost of security is an approach that vendors take when they don’t have the expertise and experience to devise a Cloud data encryption system that is both secure and usable. There will, of course, always be an impact to usability for securing your data but remember the first bullet. Cutting corners is as good as doing nothing at all.
  3. Encryption and key management requires a pedigree. Encryption and key management are highly specialized disciplines. Few organizations have the talent and experience necessary to make encryption and key management both secure and usable. There are a lot of moving pieces like Initialization Vectors, sources for random numbers, encryption key storage, key rotation, and key expiration just to name a few. We’ve touched on this topic in previous blog.

Challenges Securing SharePoint Against Privileged Insiders


Editor’s note: Contributor Mike Fleck is Co-founder of CipherPoint Software, Inc. Follow him @mfleckca

2013-08-27-SharePointSecurityImpact-01.pngIt is well documented at this point that some leaked Wikileaks data came from SharePoint sites. Details have emerged regarding how the data relating to the PRISM breach was obtained, and this breach, like Wikileaks, also involved SharePoint.

To provide some structure for this discussion, we’ll break the discussion into three types of collaboration platforms: legacy file servers, on-premises SharePoint sites, and cloud collaboration platforms such as Office 365 and SharePoint Online.

Legacy file servers

Insider security threats in legacy file server environments include classic systems administrator issues (excessive permissions, inability to enforce need to know, lack of separation of duties). Third party products exist that can help add a layer of security control to these environments. These products enforce need to know by using an independent access control and encryption capability, which is usually managed by IT security or by the business manager (data owner).

On-premises SharePoint

Purpose-built collaboration platforms such as SharePoint bring a multitude of security issues, many of which depend on the use case, and the deployment model.

For example, SharePoint when deployed as an intranet collaboration system presents a different set of potential security threats versus SharePoint as an extranet collaboration platform. Regardless, however, it’s hard to argue that the SharePoint platform, out of the box, has sufficient security controls to prevent insiders from accessing sensitive information that they have no valid “need to know” of.

Even if you implement background checks and other process-based controls to mitigate insider threats, consider that administrator credentials are among the most prized targets by external attackers. Given the porous nature of perimeter-only security defenses today, implementing technical security controls that limit the damage that can be done from compromised system administrator accounts is just smart security (and part of a defense in depth strategy). It’s also worth acknowledging that systems administrators frequently take the path of least resistance, by combining service accounts and privileges. This can easily lead to a situation where the sysadmin’s credentials are literally the “keys to the kingdom.”

Locking down premise SharePoint sites requires an additional layer of access control and encryption.

Cloud Collaboration (Office 365, SharePoint Online)

Cloud collaboration systems bring a different set of security issues. Whether SaaS or IaaS, it’s impossible to ignore the fact that in external cloud services, outsiders (in the form of cloud service provider system administrators) are your new insiders (and insider threat).

Here’s an article that describes the havoc that can be brought by a rogue cloud service provider system administrator.

As with premise file servers and SharePoint sites, applying encryption and access control to data stored in cloud collaboration systems is the only way (from a technical control standpoint) to protect access to sensitive data. There are a number of different technical approaches to securing cloud data. Future articles will explore the various ways to do this.

Is Dropbox vs. Office 365: The Next IT Battleground?


Editor’s note: Follow contributor Mark Fidelman @markfidelman

A big mismatch is looming today between how CIOs view the world and how most employees view the world — and it’s creating an even deeper gap between the two.

For many of today’s employees, IT is the equivalent of the roadblock department in charge of slowing productivity and causing unnecessary headaches. Employees expect instant access to their work-related data and services and data from their personal tablets and smartphones – but, in most cases, IT is unable to support them. In today’s mobile world, employees are not waiting for IT anymore. They are taking matters into their own hands and bypassing IT altogether. That’s dangerous.

In fact, according to a newly released uSamp survey of 500 mobile business users (commissioned by my client four in ten mobile business users happily ignore IT restrictions proclaimed by their slow-moving, draconian IT departments to try out file sharing services such as Dropbox. Its simple experience is a huge draw, and unlike SharePoint, it works just as well on Android and Apple phones as it does on tablets, PCs and Macs. So what’s the issue?

Its infamous security flaws, for one. Ask just about any CIO you know and they’ll tell you that Dropbox is a huge security risk.

In this August 2013 security research report, Dhiru Kholia of Openwall and Przemysław Wegrzyn of CodePainters detail various methods to bypass Dropbox’s authentication, intercept SSL data and use a combination of code injection and ‘monkey patching’ techniques to hijack Dropbox accounts. What’s more, according to the uSamp survey, one in four workers (27%) who shared a document using Dropbox and other unsanctioned cloud services suffered negative repercussions, ranging from lost business to law suits and financial penalties.

That’s a problem.

And it gets worse: 38 percent of respondents to the uSamp survey said that a document shared using an unsanctioned service such as Dropbox reached an unintended recipient in the past 6 months, and 27 percent reported a data breach and negative consequences as a result. So chances are uncomfortably high that if your employees are using Dropbox at their discretion, they’ll make a big – and potentially costly – mistake. Adding insult to injury, SharePoint customers waste nearly $1 billion a year in duplicate Dropbox file sync and sharing services, reports in this infographic :

The High Cost of Mobile Business Users’ Rogue IT Behavior

You can download the full report at

So how can peace between IT professionals and their business users be restored? The de facto Dropbox and SharePoint co-existence solution is an expensive one. Can a clean cut be made? And if so, how?

One obvious solution is to deliver secure, full featured access to Office 365 and SharePoint from corporate-owned and personally owned iOS and Android devices, in addition to Windows. Given Microsoft’s reluctance to offer its prized productivity and collaboration suite directly to customers with multiple operating systems, five MDM vendors – Airwatch, Citrix, Good Technology, MobileIron, and Samsung KNOX – have taken matters into their own hands and offer secure access to Office 365 and SharePoint document collaboration and social features from iOS and Android devices, in partnership with

That’s one potential solution; built-in data encryption for document collaboration is another. What additional mobile security solutions would you like to see over the next two to three years?

Insider Threats, SharePoint, and the Snowden and Wikileaks Security Breaches


Editor’s note: Contributor Mike Fleck is Co-founder of CipherPoint Software, Inc. Follow him @mfleckca

2013-08-27-SharePointSecurityImpact-01.pngAt a high level, the Snowden and Wikileaks security breaches both highlight the insider threat to sensitive information. The “insider threat” has been well understood (for a very long time) to be very serious (significant impacts are likely from insider security breaches). Also well known is the difficulty in implementing controls that fully mitigate the threat.

Without proper security controls in place, it is fairly easy for insiders to access sensitive information in SharePoint. Note that this problem is not specific to SharePoint. Most IT technologies can be compromised by a malicious individual with administrator privilege.

While both PRISM and Wikileaks involved government entities (a national intelligence agency and the DoD), the threat from insiders and system administrators is a universal one. Every year, we see numerous stories about insiders from a myriad of different companies and industries walking off with sensitive or valuable data.

A few key takeaways regarding the insider threat and SharePoint:

  • SharePoint security should start with understanding the information assets that exist on your SharePoint sites. It’s fundamentally not possible to assess risk without this understanding. I talk with many SharePoint users, and it’s frankly alarming how many have no real idea if there’s sensitive or regulated content stored on the platform, or where it exists. If you’re in this boat, you should scan your SharePoint content periodically looking for sensitive and regulated data.
  • Any organization with sensitive or valuable information in SharePoint is at risk. Certainly this includes defense and intelligence organizations, but it also includes commercial organizations with high-value IP, trade secrets, financial information, M&A information, Human Resources information, and many other categories of valuable information.
  • In any given organization, controls aimed at fully mitigating the insider threat will likely need to include both technical controls, and administrative controls. Most IT platforms do not provide native security controls capable of preventing administrators from accessing information for which they have no “need to know”. This is obviously true for SharePoint deployed with out-of-the box security controls implemented on-premises. It’s also true for cloud collaboration platforms such as SharePoint Online, Office365, Box, and others. In addition, technical controls will need to include a mix of preventive controls (access controls and encryption), and detective controls (audit and reporting).
  • Platforms like SharePoint can be used in high security applications. 3rd party security tools can enable businesses to expand their use of SharePoint, and to bring the benefits of collaboration to new use cases involving sensitive and regulated data (while maintaining security, even against malicious insiders).

Here’s a few external articles involving security breaches where malicious insiders were the source of attack:

The folks at Carnegie Mellon US CERT have done some good work in characterizing insider threats and attacks. They’ve also created an insider threat security architecture that describes the sorts of controls needing in an IT architecture to thwart malicious insiders. See their resources here.

SharePoint Security Impacts From Snowden and Wikileaks Breaches


Editor’s note: Contributor Mike Fleck is Co-founder of CipherPoint Software, Inc. Follow him @mfleckca

2013-08-27-SharePointSecurityImpact-01.pngThe biggest security story that we’ll see this year is the Snowden - NSA - PRISM leak. The biggest security story in the past couple of years prior to PRISM has clearly been Wikileaks. Common threads obviously run through these breaches, starting with the use of SharePoint by both organizations and the attackers in both cases compromising the confidentiality of information therein. The UK newspaper The Register reported a few weeks ago that the Snowden breach involved information obtained out of SharePoint servers. There are so many different angles to these security breaches, and they are so important, that we’ll address them in a series of blog posts over the next few weeks. Topics for these blogs include:

1)   The increasing importance of security controls that aim to keep system administrators honest or from mistakenly putting the organization at risk. While both Snowden and Wikileaks involved national intelligence agencies and the DoD, the threat from insiders and system administrators is a universal one. Every year, we see numerous stories about insiders from a myriad of different companies and industries walking off with sensitive or valuable data or just accidently making information publically accessible. This article describes the insider threat (posted and available here), and will discuss challenges to securing IT systems against insiders that are common to many organizations and IT platform

2)   It is well documented at this point that some leaked Wikileaks data came from SharePoint sites. NSA has also very recently admitted that data relating to the PRISM breach was obtained from SharePoint servers. It is now clear that the Edward Snowden a) was a system administrator, b) had system administrator privileges across a variety of systems, and c) did not have “need to know” for the information that was stolen and subsequently leaked, and d) obtained much of the information that he’s now leaking from a SharePoint server. This article describes specific challenges relating to securing information in collaboration platforms against system administrators, with specific focus on premise SharePoint sites. To many in the SharePoint world,  “SharePoint security” is synonymous with “SharePoint permissions” and the Snowden breach is a great example of how permissions are a single point of failure and do not (in and of themselves) equate to a proper security architecture.

3)   Solving the SharePoint insider threat issue. Protecting data in SharePoint requires the right mix of security controls, and the right architectural approach. Data encryption and access controls at the application layer are critical.

4)   In defense of SharePoint…Both the Snowden and Wikileaks breaches involved SharePoint. This doesn’t mean, however, that SharePoint is inherently flawed from a security standpoint. It does mean that a defense in depth approach needs to be taken with SharePoint, as with any other IT platform. This blog will explore what a rigorous defense in depth security architecture for SharePoint looks like. The key takeaway…SharePoint farms can be adequately secured to store even the most sensitive data, from a multitude of threats, including privileged insiders.

5)   Security of data in cloud services has been a big issue since cloud first emerged. From the perspective of the PRISM program, and the data collected, both enterprises and consumers using or planning to use cloud services have to be seriously concerned about their data in cloud services. You have to approach cloud services at this point by assuming that your data is being looked at by third parties, including cloud systems administrators, and by governmental agencies. This article will look at cloud data privacy and security issues in light of these developments.

6)   If you accept that cloud data is at great risk, you have a number of different ways to approach securing the data. Data encryption is the primary security tool to employ, and there are big and important choices to be made, including where to insert the encryption (on a client, in a proxy, in a SaaS service, or on the cloud computing infrastructure itself), and how and by whom your encryption keys and encryption routines are managed. This article will explore encryption implementation issues related to securing cloud data.

A final thought, and we believe an important one. This is not solely a SharePoint security issue. This is a gross generalization, but most IT platforms, and particularly collaboration-oriented platforms, are challenged to adequately secure against rogue systems administrators and insiders. The solution to securing SharePoint and other IT platforms against insiders will always boil down to careful application of security controls, including ones that are native to the platform, and 3rd party controls that further lock down the platform and data.

An analogy we use: if your house gets broken into, but you like the house, keep the house and buy a security system. People love SharePoint for the collaboration efficiencies the platform brings to the enterprise. Add to SharePoint the right set of administrative and technical security controls, and you’ve got a winning combination. It is possible to use the SharePoint platform for use cases involving highly sensitive data!

Play “Hide and Seek” in SharePoint

You may also be interested in: SharePoint Conference.ORG 2013


Editor’s note: Contributor Ellen van Aken is an experienced intranet adoption manager. Follow her @EllenvanAken

2013-04-28-HideSeekSharePoint-01.jpgAfter my earlier rant about people who want to secure their content for no good reason, I thought I would give some suggestions for alternative ways to hide content when it makes sense.

First let me stress that I recognize that some content is sensitive and really needs to be secured. But there is also a lot of content which is not confidential, but which you still may want to hide, to avoid information overload in general. Specific reasons may be:

  • The content is only relevant to a certain audience
  • You do not want people to influence each other
  • You want to allow people to focus on their own content, e.g. in projects or tasks lists

Next to giving permissions there are two other ways to hide content that I know of, but I will be happy to learn new ways!

1. Targeting.

In SharePoint it is relatively easy to target web parts to an audience. You can specify one or more audiences, SharePoint groups or individuals and only they will see the web part.
We have used this especially to target links on the Homepage – in the main navigation, every employee had a link to the Employee Information of his/her country.

2. Configuration.

a. Item-level permissions.
For surveys and lists, you can let people read only the items that have been created by themselves. (Advanced settings). This is nice if you do not want people to influence each other, but not very useful when you want to show the collected information to your audience. I usually apply it only in survey-type occasions.

Item-level permissions in the advanced settings

b. Created by = [Me].
When not using the item-level permissions, I like to use this filter for the default public view. That way people see their own items first and are not influenced by others, and they can not easily edit other people’s content. You can have additional public views showing all contributor’s items, or the process owner can create personal views and use web parts to display content from all contributors.

c. Impossible filters that show an empty default view.
We have used “Created < 01-01-2000” as the only public view to create an empty looking document library, accessible to all employees. The documents were distributed to other (secured) sites via Content Query web parts. Of course, the owners of the documents created personal views to see all documents. The advantage for the content owners was that the owners of the secured sites could manage access for their site.

d. Hidden columns.
In older versions (e.g. SP2007) you can create views without the Edit button, and without the “Name” column instead of “Name (linked to item/linked to document with edit menu)”. This way, your readers will be unable to click on any items to see the complete item. Of course this is useless for Document Libraries, unless you only want to show that the documents are there. (Perhaps this can also be done in SP2010, but since I am the only one in my environment, I have too many rights to test this)

e. Removing web parts in the list or library.
You can remove the system web part of the list or library to avoid anyone seeing the content, including the site owner. I would recommend this only for very specific occasions, since it is very annoying to have to add the web part back every time.

f. Sending people to a non-default page after submitting data.
I often send people to a Thank You page after completing a survey or other data collection, by customizing the link. It is a nice gesture, it confirms that submission has been succesful and it allows you to give more information about next steps. It also hides other people’s responses from view.

I have also sent people from a topsite to a request form in a subsite, and after completion sent them back to the original page in the topsite. They did not have to see other people’s requests, and this way they could continue to do what they were doing in the topsite. Well, you will get the idea; you can use this with all pages within your environment.

How to do it? Your links will normally have this format:

The part before “newform.aspx?” is the “data entry” part of the list, the part from “Source=” the location where people will go after clicking “OK” or “Finish”. You can replace the part after “Source=” with a link of your own choice. Please note this only works when you send a link in an email, use a Links list, or create a button. If you click “New Item” from the list, the link will always use the system format.

Simple Thank You-page


  • Targeted or hidden content will normally still turn up in Search. People can also see it when they have the link to the information. This is not confidential information, so it is not a problem, but it helps to be aware of it. Do not be afraid that people will go and look for this info – they do not know it is there and they probably would not care if they knew.
  • Many people do not understand the difference between targeting (visibility) and security (access/permissions), especially not that you target a web part, but secure a library or list. Be prepared for questions.
  • If you are the site owner, but you are not in the targeted audience, you will not see the content, so it will be difficult to maintain the web part. This is especially the case with Content Editor and Summary Links web parts, because they are not represented in the “back-end” of your site, i.e. the page showing all site content. This may occur when you are managing global content distributed over various “country” web parts.
  • If you target something and you are in the audience, you may forget that the content is not visible for everyone. Mention it in the web part title as a reminder.
  • Remember to discuss any targeting and personal views when handing over responsibilities for a site!

What other ways have you used to hide content without security?

SharePoint: The Key and the Team Site

You may also be interested in: Free SharePoint Plugin for Outlook


Editor’s note: Contributor Ellen van Aken is an experienced intranet adoption manager. Follow her @EllenvanAken

2013-04-12-KeyTeamSite-01.jpgIn my job (helping business users to use their SharePoint environment as well as possible), I am always looking for good metaphors to explain functionality. This is the first example “from the household” to explain SharePoint to end users.

List/library permissions.

As described earlier, people really like limiting accessibility to their content. However, they often do not understand the implications. Site Owners generally understand the “Owner-Full Control”, “Member-Contribute” and “Visitor-Read” sets of roles and permissions. But when it comes to a list or library within their site that needs different access, things get complicated. Common issues are:

  • They forget to remove groups, so everyone can still read everything.
  • A new owner does not know the list/library has different permissions and does not understand why the audience can not see a certain list/library. Or worse, they see something that (s)he does not!
  • They forget that permissions are no longer inherited, so adding a group to the site no longer means that group automatically has access to the secured containers. You have to give them access to those containers as well.
  • A new group is being created with access to only one library or list. This new group gets an “access denied” message when they try to enter the site.

Which key(s) do you give your team site users?

Giving access to a team site is like giving a key to your house. You give your groups the key to your front door. Once they are in your house, they can access most rooms freely. Everybody will understand that one or two rooms will be locked, where only the Owners can go.

Do you ask people to enter the room via the window?

But it is a little strange when all doors are locked and you can not go any further than the hallway and one room, or when you are asked to enter a room via the window.

In other words, giving people access to just one list/library on your site is not the best idea:

  • If you want people to only see one list or library, it means you have to lock down all other lists and libraries. Do you really want to maintain all that?
  • Alternatively, you can ask them to enter via the direct link to the list or library. But that is like asking someone to enter via the window. Not very easy, always suspect and not exactly welcoming.
  • And of course those users will never learn the context of your site.

My suggestion for these situations

  1. Think how much of a problem it really is, to keep your site read-only for those people who need access to one library/list only. Chances are, they do not really care to go to the rest of your site, anyway.
  2. Restrict permissions for a list or library only if it is for one or two lists/libraries and for a smaller audience than your site, e.g. the Owners.
  3. Always mention any special permissions in the description for those lists/libraries to remind you this list/library is different.
  4. In all other cases, rethink. Perhaps a different site or a subsite are easier to understand and maintain.

What do you think, would this be a good way to explain about issues with list and library permissions?

My inspiration for metaphores have been:

If you know any other good examples, please share!